This topic describes how Carbon Black Cloud captures and renders the state of digital signatures that are associated with processes and files.
Carbon Black Cloud distinguishes the three ways by which Carbon Black Cloud captures digital signature telemetry and clearly labels the approaches that were used to capture this data.
These distinctions can improve your ability to determine whether the executables and other files observed on your endpoints are legitimate or anomalous, and how you can prevent future unwanted activity.
Signature Definitions
- Effective Signature
- The Effective Signature is the signature at the time the process event occurred. This primary signature corresponds with the process publisher state, the state of the digital signature, or signatures of a Windows or macOS process binary.
- Most Prevalent Signature
- Carbon Black reviews all prior signatures associated with a particular Windows hash to determine which signature is the most prevalent. This is sourced from the binary details, and can provide additional context when an Effective Signature is not available. Because different endpoints and process instances can render differing signature metadata, the signature seen the most for that process is the one shown. This signature has been observed for this file across your fleet of endpoints for the past 90 days (for customers who have Carbon Black Cloud Enterprise EDR with Windows endpoints).
- First Seen Signature
- What was observed the first time the file was noticed by Carbon Black Cloud on the first endpoint that reported it (for customers who have Carbon Black Cloud Endpoint Standard). The first signature associated with this particular hash within your organization. This field is only available on data from Carbon Black Analytics, and can provide more context when an Effective Signature is not available. However, the latest event in the process can have a signature that differs from the first seen signature.
How Carbon Black Cloud Determines which Signature to Display
Carbon Black Cloud shows Effective Signature whenever the effective signature data is available, then prioritizes to make Most Prevalent Signature available where possible, and only shows First Seen Signature when Most Prevalent Signature is not available.
Carbon Black Cloud is designed to present consistent signature data when tracking an investigation from page to page in the console, when comparing API responses to the console, or when comparing console and API to Data Forwarder output.
On the Alert Triage page, the Signature Verification value mirrors the value that is presented under Effective Signature.
In the console, the following pages show one-line summaries and a detailed Signature section:
- Alerts
- Alert Triage
- Investigate
- Process Analysis
The following information displays:
- A one-line summary reports the Effective Signature state and publisher.
- The Details panels show all available properties for the Effective Signature, and will make available either the Most Prevalent Signature or First Seen Signature.
- For each of Effective Signature, Most Prevalent Signature, or First Seen Signature, the console reports four properties:
- Signature Status: Defines whether a signature is present, and if so, whether it has been verified.
- Publisher: Common Name in the certificate used to sign the file.
- Certificate Authority: Common Name in the certificate used to sign the Publisher certificate.
- Product: Product Name property of the Portable Executable header in the Windows binary.
When the console shows a popup that lets you ban or approve a specific hash throughout your organization:
- The message "This hash has been seen on x devices…" obtains that count from the best available API that populates Investigate search.
- For customers who have Carbon Black Cloud Enterprise EDR, the Processes Search API determines how many endpoints reported activity for that hash.
- For other customers, the Observations Search API determines how many endpoints reported activity for that hash.
Note: For Carbon Black Cloud Enterprise EDR customers, the prevalence data is based on comprehensive Carbon Black Cloud Enterprise EDR event reporting, and is expected to be accurate. For customers who have Carbon Black Cloud Endpoint Standard only, the prevalence data is based on the Observations data, which is less comprehensive and thus represents the lower bound of prevalence (that is, the binary might have executed on more devices than the count shown). - The console generally displays Effective Signature (where process events are available through the
process_guid
) and either Most Prevalent Signature or First Seen Signature (except for Linux hashes and Windows SYSTEM process).
When signature data will never exist, Carbon Black Cloud will not show these Signature properties in the console. For example, it will always suppress Linux processes and the Windows SYSTEM process.
On the Binary Details page, for Carbon Black Cloud Enterprise EDR customers, the signature data is labeled "Most Prevalent Signature" for consistency. The Ban popup does not present the relevant signature data because the only signature data that is relevant in the Binary context is Most Prevalent, which is already clearly displayed on the Binary Details page.